The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet

Help
1

So i'm starting to create a React app, and I want an SSL certificate.
I'm working with nginx, on a AWS EC2.

What I don't understand is that in the detail output, we can see the beginning of the usual answer.
So i don't know what's wrong :confused:

My domain is: roxx-builder.com

I ran this command: sudo certbot --nginx -d roxx-builder.com -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for roxx-builder.com
Performing the following challenges:
http-01 challenge for roxx-builder.com
Waiting for verification...
Challenge failed for domain roxx-builder.com
http-01 challenge for roxx-builder.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: roxx-builder.com
  Type:   unauthorized
  Detail: 13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/rZ7Pm9YHAKVsC_KqZhNg8B1LXB435Pyx8325jNKN_cw: "<!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><link rel=\"icon\" href=\"/logo_cropped.png\"/><meta name=\"viewport\" con"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): ubuntu 22.x

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Welcome @doud

Well, first check your DNS IP is pointing to your public IP. I'll assume that's correct.

I think that response is you server saying the client needs Javascript. The Let's Encrypt servers do not support Javascript. They just want the ACME Challenge token returned to them.

The --nginx plugin should avoid that usually so we'd have to see your log file. Please copy it to a .txt file and upload it here. It's in /var/log/letsencrypt/

Here's the response to a test request which I think is the same as you are seeing to your actual request (some parts omitted)

curl -i http://roxx-builder.com/.well-known/acme-challenge/Test123
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)

<!doctype html><html lang="en"><head><meta charset="utf-8"/><link rel="icon" href="/logo_cropped.png"/><meta name="viewport" content="width=device-width,initial-scale=1"/>
...
<meta name="description" content="Web site created using create-react-app"/>
...
<title>Roxx Builder</title>
...
<noscript>You need to enable JavaScript to run this app.</noscript>
3 Likes
3

In addition to that, I'd like to see the full nginx configuration, with:

nginx -T

2 Likes
4

Hi, thank you for your quick answers.

I had multiple log files, so i concatenated them with: cat letsencrypt.log* > concat_log_files.txt :
concat_log_files.txt (216.9 KB)

The nginx -T command:
nginxT.txt (7.1 KB)

6

The logs boils down to:

"detail": "13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/rZ7Pm9YHAKVsC_KqZhNg8B1LXB435Pyx8325jNKN_cw: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\u003e\u003chead\u003e\u003cmeta charset=\\\"utf-8\\\"/\u003e\u003clink rel=\\\"icon\\\" href=\\\"/logo_cropped.png\\\"/\u003e\u003cmeta name=\\\"viewport\\\" con\"",
"detail": "13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/ot3rG6pgZPjPdvmeIA5zAhc5HpZ15m9EaSWVWTV4weQ: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\u003e\u003chead\u003e\u003cmeta charset=\\\"utf-8\\\"/\u003e\u003clink rel=\\\"icon\\\" href=\\\"/logo_cropped.png\\\"/\u003e\u003cmeta name=\\\"viewport\\\" con\"",
"detail": "13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/uhVDBK3UQU3ygI-SpQ7cDY5Uhh9t4bkgOM4d_NJ84es: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n \u003chead\u003e\\n \u003cmeta charset=\\\"utf-8\\\" /\u003e\\n \u003clink rel=\\\"icon\\\" href=\\\"/logo_cropped.png\\\" /\u003e\\n \u003cmet\"",
"detail": "13.39.105.40: Fetching http://roxx-builder.com/.well-known/acme-challenge/5HgylSgTdavVzRZbdrCcZAQiMw-UAQbBvsnhqEBj5E0: Connection refused",
certbot.errors.ConfigurationError: Requested name 13.39.105.10 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.
certbot.errors.ConfigurationError: Requested name 13.39.105.10 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.
"detail": "13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/ftAF6zBy0TNsaz66ArQHkuFzzYiWWcf-u3o8uBviaic: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\u003e\u003chead\u003e\u003cmeta charset=\\\"utf-8\\\"/\u003e\u003clink rel=\\\"icon\\\" href=\\\"/logo_cropped.png\\\"/\u003e\u003cmeta name=\\\"viewport\\\" con\"",
certbot.errors.ConfigurationError: Requested name 13.39.105.10 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.
"detail": "13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/tYWrX2Qp5f2U5YcckDXB3W9IHpc1ZajAYyN-_iMYWdY: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\u003e\u003chead\u003e\u003cmeta charset=\\\"utf-8\\\"/\u003e\u003clink rel=\\\"icon\\\" href=\\\"/logo_cropped.png\\\"/\u003e\u003cmeta name=\\\"viewport\\\" con\"",
"detail": "13.39.105.40: Fetching http://roxx-builder.com/.well-known/acme-challenge/mBB8Wo0gxO_-D1QTkYZUQqWDwi7_s5Aq8mlpPjplk8g: Connection refused",
"detail": "13.39.105.40: Fetching http://roxx-builder.com/.well-known/acme-challenge/SLzP-sVq29jdbdSycc20kglIRn7EyIy_01aPdgn1Blg: Connection refused",
"detail": "13.39.105.40: Invalid response from http://roxx-builder.com/.well-known/acme-challenge/dymDxCN5-lJdKj-4iNUOCk6QXECccbKbaurRimIJ1mg: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n \u003chead\u003e\\n \u003cmeta charset=\\\"utf-8\\\" /\u003e\\n \u003clink rel=\\\"icon\\\" href=\\\"/logo_cropped.png\\\" /\u003e\\n \u003cmet\"",
"detail": "213.186.33.5: Invalid response from http://www.roxx-builder.com: \"\u003chtml xml:lang=\\\"fr-FR\\\" lang=\\\"fr-FR\\\"\u003e\\n\u003chead\u003e\\n\u003ctitle qtlid=\\\"28806\\\"\u003eFélicitations ! Votre domaine a bien été créé chez OVHclou\"",

The nginx config boils down to:

# configuration file /etc/nginx/sites-enabled/roxx-builder:
server {
        listen 3000;

        server_name roxx-builder.com 13.39.105.10;

        root /home/ubuntu/roxx-builder-web/front-end/vanille-fraise-web/build;
        index index.html;

        location / {
                try_files $uri $uri/ /index.html =404;
        }
}
2 Likes
7

To double check [in case you edited anything in those responses]...
Please show these outputs:
ls -l /etc/nginx/conf.d/*.conf
ls -l /etc/nginx/sites-enabled/*

2 Likes
8

  • ls -l /etc/nginx/conf.d/*.conf
    total 0

  • ls -l /etc/nginx/sites-enabled/*
    lrwxrwxrwx 1 root root 39 Dec 15 17:02 /etc/nginx/sites-enabled/roxx-builder -> /etc/nginx/sites-available/roxx-builder

1 Like
9

Indeed, it seems like it gets the default OVH cloud page

10

I see two [different] IPs...

What shows?

curl ifconfig.io

2 Likes
11

curl ifconfig.io:
13.39.105.40

The other ip is probably a typo, where do you see it ?

-> Ok i saw it in the config. I’ll change it. I was trying things.

12

You have it as a server name in your Apache virtual host. You should remove that anyway or at least not request that name for your certificate. Let's encrypt does not issue certificates for IP names just domain names.

3 Likes
13

Hi, okay so i fixed it. Here was the issue:
My react app was listening to port 3000, and I had a routing from port 80 to 3000 to access the app.

For some reason i didn't work. So i change the react app the listen directly to port 80, and it seems to work.

(also i removed the wrong IP on the config)

1 Like
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.